Monday, February 25, 2008

We finally went alive with two FE (front end server) road balanced behind the contend switch. All BE (Back End) server is using these two OWA FE servers from outside. The OWA traffic is being directed to URL, something like this Https://smtp25.org/webmail , this Cname maps to the IP address of the ISA Virtual IP Address. ISA (Proxy) server accepts all the traffic and passes over to inside network. The way we configured ISA, is with two interfaces. One is Public other one is internal interface. When ISA accepts traffic on Port 80, it redirects it to SSL (443) and passes inside network VIP (Virtual IP of the content switch). The Content switch is configured to distribute the traffic in round robin fashion, one session for one server A, second session for server B, third for server A forth for server B and so on. This is where you get the "Road Balance" type of configuration.

Anyway after completing this entire existing task, we realized we forgot to enable "Password Change" future. Now I am writing all the notes I put together to archive the mission with little finding. Creating Virtual directory called "Iisadmpwd" is the first step as shown below. Of course all these little things we do it not required in exchange 2007, because it is all build in, so upgrade to Exchange 2007 whenever is possible (-:

In the Virtual Directory Access Permissions grant Read, Run Scripts and Execute permissions. Click Next Finish.

On the "Iisadmpwd" directory make a right click on go to properties and make sure

Executive permissions set to "Scripts and executables"

Application pool "ExchangeApplicationPoll" also one more thing to do. Click on Directory security, Under Authentication and access control, Click edit and make sure only "Basic authentication (password is sent in clear text) is selected.

Now you need to enable a register key. All you need to do it copy and paste below code into notepad and save as "DisablePassword_to_0.reg", after this double click on the red file to make the changes in the register

PS:Here is the trick after you have done all the hard work you will have to reset IIS and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't see the option change password when you log into OWA.There is one property in MetaBase: PasswordChangeFlags. The default value inWindows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot change the password in OWA when the user password expires/Change password at next logon is selected.You can run the below command on the server to check the valueIf everthing is not working, but you are not getting "User must Change password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go to"C:\Inetpub\AdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed, so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be changed window.C:\InetPub\AdminScripts> cscript adsutil.vbs get w3svc\PasswordChangeFlagsSet the value by following command on the server:C:\InetPub\AdminScripts> cscript adsutil.vbs set w3svc\PasswordChangeFlags 0

Sunday, February 10, 2008

The Key performance of the DC (Domain Controller) is the how much of the database can be cached into the memory. The process is responsible from this task is the LSAAA.EXE caching mechanism, releases cache to free memory when OS requires it. The Domain controller who are not strong enough (low memory) will not be able cache as much and this will be noticeable performance issue on the Domain controller. Therefore it is a good idea to make sure the DC's have enough memory installed on them and the other processes are not eating up from DC memory.

The core Process LSASS.EXE is also responsible from replication, authentication, Net logon, and KCC. If the LSASS is not happy this is going to cause Busy and tired DC (Domain Controller). Any other process other than LSASS MUST be investigated on the domain controllers if they are utilizing most of the CPU resources on a Domain Controller.

The similar behavior in Exchange is the Store.exe if you remember.

What is LSASS.EXE, The LSAS management of local security authority domain authentication and Active Directory Management?

The Lsass.exe process is responsible for management of local security authority domain authentication and Active Directory management. This process handles authentication for both the client and the server, and it also governs the Active Directory engine. The Lsass.exe process is responsible for the following components:

Local Security Authority

Net Logon service

Security Accounts Manager service

LSA Server service

Secure Sockets Layer (SSL)

Kerberos v5 authentication protocol

NTLM authentication protocol

Lsass.exe usually uses 100 MB to 300 MB of memory. Lsass.exe uses the same amount of memory no matter how much RAM is installed in the computer. However, when a larger amount of RAM is installed, Lsass can use more RAM and less virtual memory

Have you ever used Server Performance Advisor V1.0 this is FREE Utility from Microsoft. Service Performance Advisor is a server performance diagnostic tool developed to diagnose root causes of performance problems in a Windows Server™ 2003 operating system.

I heard (Cluster setup steps, never counted there were 23 steps) to setup cluster in windows 2003. The new cluster has couple steps to get the cluster up and running.The windows 2008 brought new Cluster MMC 3.0 so ClueAdmin is gone. Windows 2008, the clustering is being called "Failed over Clustering"

Cluster logging (Text Logging is gone along with ClueAdmin), the new MMC is the tool to use for Windows 2008 Clusters, there is a tool called Validate tool build into the Cluster MMC. This toll provides multiple tests.

What to do when cluster is hang, enable User Mode Hang Detection

The following symptoms typically indicate that the cluster node has stopped responding: • You can confirm IP connectivity to the server that is hanging by pinging it.

You cannot successfully establish a connection to the server by using the net use command.

You cannot successfully connect to the server by using a Terminal Services client.

You can move the mouse pointer when you log on locally to the server.

You cannot start programs or utilities when you are logged on locally to the server

Of course this is build right into windows 2008 architect. There is also reporting function build into new cluster configuration management.

Cluster signature managements over better GUI in windows 2008. GPT is supported. New Symantec Foundation for Windows will be supported. The DHCP is supported now. Any network cluster resource will be able to use DHCP support, I am not sure if anyone would really use this because this is supported, I personally would not (-:, but this is supported in windows 2008 cluster configuration just to let you know. NetBIOS is not needed anymore in windows 2008. The Cluster GUI is build into MMC 3.0, so windows 2008 is promising no MORE hourglass simply because the ClueAdmin is gone, and MMC cannot crash (-:

The cluster migration tool will make thing easy, this tool will assist for cluster configurations from one cluster to another one.

The Cluster management is finally getting retired to be the rocked scientist job to regular admin type of job. The windows 2008 CSA runs the service account as local System which is very nice. No more worry about cluster special account.

I am very excited to expose myself into new cluster management MMC and tolls. Hopefully windows 2008 servers will get deployed fast into most of the network and we will have opportunity to explore the new futures in production environment

Thursday, February 7, 2008

Let's say the company decided to implement mailbox policies for all mail enabled users. You are assigned to get this task done based on the company policy. Regular mailbox policies would be delete such e-mails older than X number of days and to set this up on the Exchange org you need to start from ESM, and drill down to recipient policies, under recipients folder in ESM. New recipient policy selects "mailbox manager settings"

Image-1

Name your policy, once you get there makes a right click and click modify and select where you want to apply this policy, in my case I choose a single server. Click on mailbox manager settings (Policy) and complete the each filed corresponds or satisfies to your company policy. On the bottom there is an option to send mail to clients and let them know what happening.

When all looks good click apply and save the policy in ESM.

Image-2

Go to properties of exchange server

Mailbox management, click on custom schedule, and I picked 6AM every day. Click on reporting and point it to a DL (Exchange administrators), also we want detailed report.

Image-3

Manually initiating Mailbox Management

If you right-clicking the new Mailbox Management recipient policy and select Apply This Policy Now the policy gets applied right away regardless the schedule. Also right-click the Recipient Update Service, under "Recipient Update Service" select Update Now after doing this select Rebuild.

This will kick off the RUS with the new policy and then applies the policy to existing objects that meet the search criteria. For better redundancy dedicating multiple bridge head server and different DC/GC would be a good way of making sure RUS steps all policies and the SMTP Proxy addresses.

Friday, February 1, 2008

You want your users to update their own setting within the GAL, and you dedicated to use GALMODE utility, which was supported with exchange 5.5. The companies won't like spending money and get some other/better product; instead they like to make their existing tool work with any version of exchange. So I was tasked to make the GALMODE work in a large environment mix with exchange 2000 and 2003.

First you will need GALMODE.EXE, if you don't have it ping me. Second follow the steps in KB-272198